PSD2. How should banks prepare their IT architecture?
Early 2018 will see the EU’s Revised Payment Services Directive (PSD2) enter into force, which will apply to all Member States. The changes introduced by PSD2 will require customer-account holding institutions to take appropriate actions. Banking institutions will need to quickly adapt their IT architecture to meet the new requirements, while also remaining competitive in the banking services market.
PSD2 directive – new regulations for banking services
Technological development, including the digitalization and the continuous development of the e-economy ( i.e. e-commerce and electronic services), has led to the emergence of new products that have not been regulated so far. One of the goals of the directive is to enable third parties (TPPs – Third Party Providers) to access bank accounts. This will happen by introducing two new types of services to the payment services catalog:
– AIS (Account Information Service) – a service whereby TPPs can access information about the customer’s payment accounts with one or more providers. In this way, via the TPP customers will immediately obtain information about their financial situation.
– PIS (Payment Initiation Service) – a service whereby the TPP is given access to the customer’s online accounts and can make payments on the customer’s behalf. The TPP will be able to initiate a payment to a specific recipient, and then report it to the customer.
Understandably, TPPs will be able to perform those services only with the customer’s consent.
Another key new feature is the obligation to use the Strong Customer Authentication (SCA), a two-factor authentication mechanism that increases the security of electronic payments. This means that authentication should be based on the use of at least two elements categorized as:
– knowledge (something only the user knows, e.g. login details);
– possession (something only the user possesses, e.g. an SMS code);
– inherence (something the user is).
Customer authentication is to be universal for all online transactions exceeding 10 euro, which provides for additional steps when making payments, e.g. entering a password, a one-time code from a scratch card or a text message.
PSD2 requirements for banks. How to prepare the IT architecture?
Under PSD2, banks and other institutions that maintain payment accounts will be obliged to securely disclose data to third parties. In the context of IT architecture, this requires the preparation of APIs for use by TPPs. Each bank will be required to design appropriate services to ensure that account data can be used by all eligible entities (Figure 1). After receiving the payment order via the TPP, banks provide or make available to the TPP all information about initiation of the payment transaction and all information available to the account-holding payment service provider in relation to the execution of the payment transaction. The payment service provider should ensure secure communication with the TPP.
So far, most banks haven’t had any obligation or need to make such data available to third parties, which is why they will only now start to analyze and use such solutions. From the point of view of payment service providers, making the user’s payment account available to third parties is an additional risk factor (notably in the context of personal data protection), which as an issue that banks and other institutions will need to address. Now banks will be required to meet certain standards, both regarding the interface definition and the need to ensure secure communication.
Use the Anypoint Platform as a solution to make your services available!
Given the upcoming roll out of PSD2, integration system providers are adapting their solutions to the requirements that banks and other account-holding institutions will have to meet. For this reason, banks will be looking for ways to securely share their data, most likely through an Open API, which will be available to banking entities, among others. One of the best solutions for the appropriate adaptation of IT architecture to these changes is the Anypoint Platform from MuleSoft. This tool was designed to support Service-Orientated Architecture (SOA), tackle any respective challenges and leverage the opportunities arising from both PSD2 and “open banking”. This approach changes the IT operations path and decentralizes access to data without impairing data governance or security.
Banks have complex structures and elaborate communication methods, which call for agility and flexibility. These requirements can be addressed by using a multi-layer architecture (Figure 2).
The bottom layer for central systems is the foundation for all IT architecture, which may include, for example, the core of the banking system, key payment systems and own databases. Access to these systems is often restricted by security regulations and policies. APIs for those systems will improve data synchronization and enable the development of services specifically for core systems. APIs provide a means of access to core systems by registering and exposing data, often in canonical form. These rarely changing APIs will be controlled by the central IT kayer, whose key role will be to protect material data.
The second layer, process APIs, is responsible for handling business data, but independently from source systems from which the data originate or target channels to which the data are to be delivered. At this level, banks can automate business processes and improve the integration of banking applications. These APIs allow specific functions to be performed for any location, product or channel, while not having direct access to central data.
At the top level, the the Experience Layer, data can be processed in a wide range of channels, each of which can access the same data in different forms. For example, an ATM, mobile application, electronic banking or a third party provider (TPP) can have access to the same customer information fields, while adjusting the data format to fit each group. This layer (Experience API) helps in configuring data to make their use easier by recipients. This facilitates compliance with PSD2 requirements without creating new, separate point-to-point integrations for each channel.
By working with the largest companies and several top-tier banks that use the Anypoint Platform, MuleSoft has developed a set of best practices for launching new initiatives, connecting systems or unlocking data for the whole organization, often while also being 2–5 times faster and reducing integration costs by approximately 30%. This solution ensures the continuous expansion of services, alongside stable growth. And banking market developments, such as PSD2, show how quickly and flexibly banks need to adapt to new requirements.
PSD2 is another initiative that puts pressure on banks to increase the availability of banking data and create new features supporting customer service. Whatever approach is chosen, banks will have to expand their digitization capabilities to remain competitive in reaching customers with new offers.
Most importantly, banks will also be able to take the role of Account Information Service Providers (AISPs) and Payment Service Providers (PSPs). As a result, these institutions will not only be the “providers” of data and information about their customers, but may also benefit from access to these data from external sources. For this reason, PSD2 also opens the possibility for banks to offer completely new services to customers and to deliver their propositions, services or products via previously unused channels.
Judging by the market dynamics, the near future might bring further changes that will again require financial institutions to adapt the availability of their solutions. It’s a good idea to think ahead.